From 253d165c2cee90ea025f2629e93fa2d605bb91f8 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 25 Jun 2021 15:09:30 -0400
Subject: [PATCH] Configure deployment on the various hosts, turn it on for
 localdev

Also add my key to local secrets for the moment because otherwise localdev
grid cannot build itself :/
---
 morph/grid/local/config.json       |  1 +
 morph/grid/local/grid.nix          |  8 ++++++++
 morph/grid/local/secrets/users.nix |  5 ++---
 morph/lib/issuer.nix               |  3 +++
 morph/lib/monitoring.nix           |  3 +++
 morph/lib/storage.nix              |  2 ++
 nixos/modules/deployment.nix       |  9 ++++++---
 nixos/modules/ssh.nix              |  6 ------
 nixos/modules/update-deployment    | 10 ++++++++--
 9 files changed, 33 insertions(+), 14 deletions(-)
 mode change 100644 => 100755 nixos/modules/deployment.nix
 mode change 100644 => 100755 nixos/modules/update-deployment

diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 3d377cc0..f55b4444 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -10,4 +10,5 @@
 , "allowedChargeOrigins": [
     "http://localhost:5000"
   ]
+, "deployKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTUgFOHIfRuVYEbxp8gD+H9uZV1RCQUC4AhCABYT57"
 }
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5345a161..3aeda9b5 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,6 +18,8 @@ let
           monitoringvpnIPv4 = "172.23.23.11";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   storage1 = {
@@ -29,6 +31,8 @@ let
         stateVersion = "19.09";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   storage2 = {
@@ -40,6 +44,8 @@ let
         stateVersion = "19.09";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   monitoring = {
@@ -53,6 +59,8 @@ let
         stateVersion = "19.09";
       })
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   # TBD: derive these automatically:
diff --git a/morph/grid/local/secrets/users.nix b/morph/grid/local/secrets/users.nix
index 93a8b660..e9819192 100644
--- a/morph/grid/local/secrets/users.nix
+++ b/morph/grid/local/secrets/users.nix
@@ -1,4 +1,3 @@
-# Add your public key. Example: 
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+# Add your public key. Example:
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
 in { "root" = key; "vagrant" = key; }
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 417ef796..51046b43 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -40,6 +40,9 @@ rec {
   };
 
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
+
     ../../nixos/modules/issuer.nix
     ../../nixos/modules/monitoring/vpn/client.nix
     ../../nixos/modules/monitoring/exporters/node.nix
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index b48820f0..fa769d5e 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -21,6 +21,9 @@ rec {
   };
 
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
+
     ../../nixos/modules/monitoring/vpn/server.nix
     ../../nixos/modules/monitoring/server/grafana.nix
     ../../nixos/modules/monitoring/server/prometheus.nix
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 1cac51b4..ebad3d17 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -32,6 +32,8 @@ rec {
 
   # Any extra NixOS modules to load on this server.
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
     # Bring in our module for configuring the Tahoe-LAFS service and other
     # Private Storage-specific things.
     ../../nixos/modules/private-storage.nix
diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix
old mode 100644
new mode 100755
index 592d373f..19cf7395
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -1,5 +1,5 @@
 # A NixOS module which enables remotely-triggered deployment updates.
-{ config, ... }:
+{ config, lib, ... }:
 let
   # A handy alias for our part of the configuration.
   cfg = config.services.private-storage.deployment;
@@ -11,7 +11,7 @@ let
     "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
   options = {
-    services.private-storage.deployment.authorizedKey = {
+    services.private-storage.deployment.authorizedKey = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExample ''
         ssh-ed25519 AAAAC3N...
@@ -20,7 +20,7 @@ in {
         The SSH public key to authorize to trigger a deployment update.
       '';
     };
-    services.private-storage.deployment.gridName = {
+    services.private-storage.deployment.gridName = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExample "staging";
       description = ''
@@ -31,6 +31,9 @@ in {
 
   config = {
     users.users.deployment = {
+      # Without some shell no login is possible at all, even to execute our
+      # restricted command.
+      useDefaultShell = true;
       openssh.authorizedKeys.keys = [
         (restrictedKey {
           inherit (cfg) authorizedKey gridName;
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 667bdd26..3e905283 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -40,12 +40,6 @@
         # Agent forwarding is fraught.  It can be used by an attacker to
         # leverage one compromised system into more.  Discourage its use.
         AllowAgentForwarding no
-
-        # Only allow authentication as one of the configured users, not random
-        # other (often system-managed) users.  Possibly this is also
-        # superfluous!  NixOS system users have nologin as their shell ... so they
-        # cannot log in anyway.
-        AllowUsers ${builtins.concatStringsSep " " (builtins.attrNames cfg.sshUsers)}
       '';
     };
 
diff --git a/nixos/modules/update-deployment b/nixos/modules/update-deployment
old mode 100644
new mode 100755
index dd988031..0f9c714e
--- a/nixos/modules/update-deployment
+++ b/nixos/modules/update-deployment
@@ -1,11 +1,17 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p morph
+#!nix-shell -i bash -p morph git
 
 set -euxo pipefail
 
 GRIDNAME=$1
 shift
 
+if [ "${GRIDNAME}" = "local" ]; then
+    BRANCH="323.continuous-deployment"
+else
+    BRANCH="${GRIDNAME}"
+fi
+
 CHECKOUT="/run/user/$(id --user)/PrivateStorageio"
 REPO="https://whetstone.privatestorage.io/privatestorage/PrivateStorageio.git"
 
@@ -15,7 +21,7 @@ else
     git clone "${REPO}" "${CHECKOUT}"
     # Check out the right branch ... which also happens to be named after this
     # grid (or maybe this grid is named after the branch).
-    git -C "${CHECKOUT}" checkout "${GRIDNAME}"
+    git -C "${CHECKOUT}" checkout "${BRANCH}"
 fi
 
 morph deploy "${CHECKOUT}"/morph/grid/"${GRIDNAME}"/grid.nix switch --on "$(hostname)"
-- 
GitLab